The CFO’s Role in Cyber Security
Many finance chiefs are being called upon to help promote cyber security and identify threats.
The importance of cyber security is no secret to anyone who watches the nightly news. Senior executives at businesses of all sizes understand all too well that today’s global economy is still not adequately protected against cyberattacks, despite years of effort and spending in the multi-billion dollar range each year. But until recently, many CFOs may not have been considered an integral part of an organization’s security team or understood how to respond to security risks and the implications for their organizations. But times have changed and many CFOs are being called upon to help promote cyber security and identify threats.
CFOs have a major role to play in the daily running of an organization. For starters, they work directly with financial analysts and have concerns over loss of control over their financial reporting. Of course they are also concerned with the potential loss of funds either through good, old-fashioned theft or as a direct result of another third party’s misfortune.
If you think about it, finance chiefs have good reason to be concerned. The information that the CFO controls and works with on a daily basis is some of the most sensitive and important that can be found in an organization. The CFO must understand where the information is at all times, how it’s secured, who might want to steal it, and how hackers might gain access to it. Perhaps most importantly, the CFO has a duty to provide plain, true, and complete disclosure to the board on a wide range of issues. Today, many would argue that they should include the potential impact of cyberattack on the financial standing of the organization.
The cost of a cyber-attack, whether it’s financial or reputational, can be astounding. For CFOs, information security must become a top priority in defending their organization’s future. According to Deloitte’s third-quarter 2014 CFO Signals™ survey, North American CFOs view cybersecurity as a high priority, but there are certainly concerns about implementation of information security plans.
Overall, 74% of 103 CFOs said cyber security is a top priority, while only 6% of those surveyed do not view it as a high priority. Obviously, security threats will continue to be a major business disrupter. This is confirmed by the finding that more than half of CFOs surveyed cited anxieties about security of data, intellectual property, and facilities.
Risk vs. Reward
Business leaders recognize the enormous benefits of cyberspace, yet many are having difficulty determining the risk versus the reward. The benefits of cyberspace come with significant risks, and the threat of cyberattack is firmly at the top of the board agenda.
While organizations are exploiting the business benefits of cyberspace, they may not realize that it confers the same benefits to those who attack those organizations. Hacker groups, criminal organizations, and espionage units worldwide have access to powerful, evolving capabilities, which they use to identify, target, and attack.
Many of the security activities associated with cybercrime are based on fundamental information security incident management, and are covered under such topics as information security incident management and forensic investigations. But cybercrime often involves sophisticated, targeted attacks against an organization and, as such, additional security measures may be required to respond to specific cybercrime-related attacks.
Cybercrime-related intelligence relating to the development of attacks should be reviewed by the CFO on a regular basis to determine:
- The extent to which the organization is at risk of a cybercrime-related attack.
- How targeted information could be used by criminals.
- The techniques used by criminals to perform cybercrime-related attacks.
Damage to Brand Reputation
Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous and pose more risks to an organization’s reputation. In addition, brand reputation and the trust dynamic that exists among suppliers, customers and partners have appeared as very real targets for the cybercriminal and hacktivist
With the speed and complexity of the threat landscape changing on a daily basis, all too often we’re seeing businesses being left behind, sometimes in the wake of reputational and financial damage. When a data breach occurs, it’s important to limit its impact and the potential impact on the organization’s reputation. CFOs need to ensure they are fully prepared to deal with these ever-emerging challenges by equipping their organizations better to deal with attacks on their reputations. And the faster you can respond to these attacks on reputation, the better your outcomes will be.
From Employee Awareness to Embedded Behavior
Organizations continue to heavily invest in developing human capital. The implicit idea behind this is that awareness and training always delivers some kind of value with no need to prove it – employee satisfaction was considered enough. This is no longer the case.
Today’s CFOs demand return on investment forecasts for the projects they have to choose among and awareness and training are no exception. Evaluating and demonstrating their value is becoming a business imperative.
Finance chiefs understand that spending a small amount up front could very well save the organization a great deal in the event a breach occurs. Unfortunately, there’s no single process or method for introducing information security behavior change. That’s because organizations vary so widely in their demographics, experiences, achievements, and goals.
The time is right, and the opportunity to shift from awareness to tangible behaviors has never been greater. CFOs have become more cyber-savvy, and regulators and stakeholders continually push for stronger governance, particularly in the area of risk management. Moving to behavior change will provide the chief information security officer with the ammunition needed to provide positive answers to questions that are likely to be posed by the CFO and other members of the senior management team.
Do I Really Need Cyber Insurance?
Of the 970 financial professionals who attended the AFP conference in Washington last November, and responded to a survey, 62% said that their organization has been subject to either an actual or attempted cyber-attack at least once over the past year. Only 15% of financial professionals responding to the survey said their companies have upped the amount of cyber insurance carried. Is cyber insurance necessary?
Privacy exposure has been a key motivator for some organizations to purchase cyber insurance. Others are motivated by growing regulatory exposure. It’s no longer just the organizations that we’ve traditionally focused on, including financial institutions, retail, health care, and higher education. Those industries have been buying insurance for a long time. The health care industry has been a particularly large buyer of cyber insurance, stemming from the enormous volumes of customer data health care outfits must handle. I’m also seeing players in a number of new industries, such as manufacturing and supply chain, who are purchasing cyber insurance because of regulatory concerns.
But remember: cyber insurance is no replacement for sound cyber security and cyber- resilience practices. On the contrary, well-resourced compliance practices can often positively reduce the associated premiums for cyber insurance. Further, finance chiefs need to look very carefully at the small print – many policies don’t cover state-sponsored attacks and may not provide you with the full financial cover that you would wish.
Is Cyber Security Enough?
Far too often, organizations implement measures to prevent cyberattacks in response to a data breach. A meticulous CFO can save the company the embarrassment and financial impact of a major breach by taking proactive steps in anticipation of targeted attacks. Companies should take the time to develop a data breach response program. The must also rehearse various scenarios before an incident occurs.
But establishing cyber security alone is not enough.